Use-case: HBase Servers are in a Kerberos Enabled Cluster. HBase Servers (Masters and RegionServers) are configured to use Authentication to Connect to Zookeeper.

Assumption: HBase + secured Zookeeper.

This Java code snippet can be used to connect to HBase configured with zookeeper/rpc. HBase client can be on a remote node or inside a cluster.

Kerberos configuration: it would be in krb5.conf, which includes the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Please check the config file for correct location of KDC, realm etc. You can find this file under /etc. or you can override the default location by setting the environment variable KRB5_CONFIG.

To connect to Kerberos cluster, either you need to use kinit to keytab. Because this is being done with a Java / Scala program, we would use keytab file. A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password).

To create keytab file using MIT Kerberos, we will use ktutil: Remember enc-types should be supported and they should be in krb5.conf, also enc-types would be case sensitive.

ktutil
  ktutil:  addent -password -p user@YOUR-REALM.COM -k 1 -e RC4-HMAC
  Password for user@YOUR-REALM.COM: [enter your password]
  ktutil:  addent -password -p user@YOUR-REALM.COM -k 1 -e aes256-cts
  Password for user@YOUR-REALM.COM: [enter your password]
  ktutil:  addent -password -p user@YOUR-REALM.COM -k 1 -e aes128-cts
  Password for user@YOUR-REALM.COM: [enter your password]  
  ktutil:  wkt user.keytab
  ktutil:  quit

Make sure permissions are correct: chmod 600 user.keytab

To test if generated keytab is correct:
kinit user@YOUR-REALM.COM -k -t user.keytab

it should not throw any error, check for password and enc-type etc. if there is some issue.

Now you have your KDC and keytab configured.

To connect to Hbase, we will use zookeeper quorum, a Zookeeper ensemble that is normally of 3, 5 or 7 machines.

Configuration config = HBaseConfiguration.create();

config.set(“hbase.zookeeper.quorum”, “comma separated list with only machine names, IPs, no ports to be mentioned”);
config.set(“hbase.zookeeper.property.clientPort”, 2181);
config.set(“hadoop.security.authentication”, “kerberos“);
config.set(“hbase.security.authentication”, “kerberos”);
config.set(“hbase.cluster.distributed”, “true”);
config.set(“hbase.rpc.protection”, “privacy”); // check this setting on HBase side
config.set(“hbase.regionserver.kerberos.principal”, “hbase/_HOST@YOUR-REALM.COM”); //what principal the master/region. servers use.
config.set(“hbase.master.kerberos.principal”, “hbase/_HOST@YOUR-REALM.COM“); // this is needed even if you connect over rpc/zookeeper

//Now you need to login/authenticate using keytab:
UserGroupInformation.setConfiguration(config);         
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(“user@YOUR-REALM.COM”, “user.keytab”);

//User principal has maximum life span and renewal life, so accordingly use:
ugi.reloginFromKeytab(); //as per the need of the application

Top